Blog

New Brazilian Cyberlaw

Published:
4/17/13 10:07 PM

Brazil's new cyberlaw is not tough enough to fight electronic crimes.

By Renato Opice Blum

After 15 years of discussion, Brazil's government has enacted a law that typifies computer-related crimes and covers important issues such as electronic device invasion, unauthorized remote access and interruption of web services.
This article intends to analyze some aspects of the long-awaited Law 12.737/2012.

The text of this short law is as follows:

Article 1: This Act provides for the classification of criminal offences and other matters involving computers.

Article 2: Decree-Law 2848 of December 7, 1940 - Criminal Code, is now amended by the
addition of the following Articles, 154-A and 154-B.

Article 154-A, Unauthorized access of computer devices: Accessing computer devices, be they connected or not to a network, violating without authorization security mechanisms, to obtain, tamper or destroy data or information without the express or implied consent of the owner of the device or to install programs or data intending to gain an unfair advantage: Penalty - detention of 3 (three) months to one (1) year and a fine.

i) The same penalty shall apply to those who produce, deliver, distribute, sell or disseminate a device or computer program in order to facilitate the commission of the conduct defined above.

ii) The penalty will be increased by one sixth to one third if the unauthorized access results economic loss.

iii) In the event that the access results in the obtaining of private electronic communications, commercial or industrial secrets, confidential information, as defined by law, or the unauthorized control remotely of a computer device: Penalty - imprisonment of six (6) months to two (2) years and a fine, where the conduct does not constitute a more serious crime.

iv) In the case of iii) above, the penalty shall be increased by one third to two thirds
if any disclosure by any means of the data or information obtained is sold or transferred to a third party.

v) The penalty shall be increased by one third to a half if the offense is committed against:
a. the President, governors or mayors;
b. the Chairman of the Supreme Court;
c. Chairman of the Chamber of Deputies, the Senate, the State Legislative Assembly, the Legislative Chamber of a Federal District or Municipality;
d. the head of a direct or indirect federal, state, local or Federal District administration."

Article 154-B, Criminal prosecution: The offenses defined in article 154-A, will be brought by
request unless the offense is committed against the direct or indirect administration of the
Union, States, Federal District and Municipalities or against Utilities or Public Services."

Article 3: Articles. 266 and 298 of Decree Law 2848 of December 7, 1940 - Criminal Code,
become effective with the following wording:
"Interruption or disruption of telegraph, telephone, computer, telematic or public information
service”

Article 266. .................................................. ......................
i) The same penalty shall apply to those who interrupt telematic or public information services, or prevent or hinder their recovery.
ii) Penalties shall be doubled if the crime is committed during a time of public crisis."(NR)

Counterfeiting of Private Documents

Section 298. .................................................. ......................
Counterfeiting of a card
Single paragraph. For purposes of this head, will mean any personal card, credit card or debit card.

Article 4: This Law shall enter into force 120 (one hundred twenty) days after official publication.

Brasilia, 30 November 2012; 191st and 124th Independence of the Republic.

The first point to mention is the fact that the law limits the typifying of invasion to cases in which an “infringement of security mechanisms” occurs, excluding computer devices without protection mechanisms from the enforcement. Moreover, the expressions “security mechanism” and “computer device” (Only hardware, what about software?) are not defined by the law, raising doubts about the legal framework in certain cases.

Furthermore, since the conduct “to invade” gives the idea of “entering forcefully”, cases
of inappropriate acquisition of data through social engineering techniques and other means (e.g. disclosure of password by the owner to third parties) theoretically would not be included in the newly born classification. This is because such actions would not constitute violation, but merely unauthorized access.

Additionally, it is possible to foreseen a broad debate about who would be the “owner of the
dispositive” invaded – expression used to designate the victim. The legal text seems to refer only to the owner, not clarifying if an eventual possessor or user could also be protected.
It is also important to mention that, concerning the penalization of disclosure of industrial secrets obtained by invasion, there is an apparent duplicity of legal prediction: the improper disclosure was already considered crime by the Protection of Industrial Property Law (Law 9.279/96).

It’s true enough that the new law comprises many other interesting topics. However, the sentences imposed appear to be too soft, allowing the enforcement of the conditions of Special Courts’ proceedings. This when the international trend is precisely the opposite: recently it became news the fact that the State of California (USA) condemned to 10 years of prison a hacker accused of stealing pictures from celebrities through the web - in addition to the payment of a compensation for the sum of 76 thousand dollars.

Obviously, we are not advocating the sudden increase of Brazil’s prison population just to punish computer crimes. Nevertheless, it is hard to understand how the creation of a law after so many years of debate, can establish punishments with such a weak deterrent effect. Such aspect of the penalties is disconcerting since in the majority of computer crimes the material loss is just a small part of the problem: the damage occurs within the intimate sphere of private lives or concerning sensible business information – what makes the lost data invaluable for the victim.

For these reasons, it seems lenient to punish such conducts with the concession of benefits directed to minor crimes. If technology achieved a relevant role in the daily life of the Brazilian citizen, the law should follow this change, recognizing in practice its gigantic potential to affect people’s lives – for better or, unfortunately, for worse.

Renato Opice Blum - Attorney, Economist and President of the IT Advisory Board of Fecomercio.